Malware Alert: New DeerStealer Campaign

A new variant of sophisticated information-stealing malware, DeerStealer, has been identified targeting personal and financial data across infected systems. Using signed binaries, rootkit-like techniques, and deceptive installers (like Adobe Acrobat Reader), it evades detection while maintaining persistence via scheduled tasks.
 
Key highlights:

• Steals system info, credentials, crypto wallets, browser & app data.
• Uses obfuscated files and hidden components for stealth.
• Communicates with C2 servers and can switch servers to avoid detection.
• Sold and supported on dark-web forums and Telegram channels.
• Stay vigilant! Always verify downloads and keep security tools updated.

 Link to the Research Report: https://www.cyfirma.com/research/deerstealer-malware-campaign-stealth-persistence-and-rootkit-like-capabilities/

#CYFIRMA #MalwareAnalysis #InfoStealer #DeerStealer #ThreatIntel #CyberSecurity

https://www.cyfirma.com/

Defence Industry Cyber Threats: Espionage Meets Monetization

CYFIRMA observed sustained cyber campaigns targeting the global defence sector.

Key Highlights from the report:

• China: Long-term persistence in telecom & enterprise networks via router/switch compromises, harvesting IP and credentials.
• Russia: Disrupting logistics & transport contractors supporting Ukraine, aiming to destabilize defence supply chains.
• North Korea: Blending IP theft with aggressive financial operations, treating cybercrime as both a strategy and a revenue stream.
• Iran: Politically motivated intrusions aligned with regional tensions, occasionally spilling into Western-linked suppliers.
• Cybercriminals: Pivoting away from ransomware encryption → toward direct data theft + leak-driven extortion, exploiting misconfigured cloud environments and subcontractor access.
• Hacktivists: Amplifying propaganda through nuisance-level DDoS, often pro-Russian aligned.

Why it matters:
The defence industry is now under dual pressure, espionage-driven persistence and monetization-driven extortion. The underground economy confirms it: data leaks dominate dark web chatter, while ransomware “lock-and-encrypt” tactics are fading. Cloud-native techniques, subcontractor abuse, and living-off-the-land persistence are reshaping how adversaries sustain access and monetize breaches.

Link to the research report: https://www.cyfirma.com/research/cyfirma-defence-industry-threat-report/

#DefenceCyberSecurity #ThreatIntelligence #Espionage #CloudSecurity #SupplyChainRisk #CyberExtortion #RedTeam #BlueTeam #CYFIRMA

https://www.cyfirma.com/

🚨 Threat Intelligence Alert – XillenStealer 🚨
 
CYFIRMA research identifies XillenStealer, a Python-based open-source information stealer circulating on GitHub, built to exfiltrate:
 🔹 Browser credentials & cookies
 🔹 Cryptocurrency wallets
 🔹 Discord, Steam, Telegram sessions
 🔹 System & network data + screenshots

Key insights:
 ⚙️ Builder GUI lowers entry barriers, enabling even low-skilled actors to deploy the malware.
 📤 Data exfiltration is routed via Telegram bots.
 🕵️‍♂️ Anti-analysis, sandbox evasion & persistence mechanisms enhance stealth.
 🌐 Linked to Russian-speaking cybercriminal group “Xillen Killers” offering a suite of offensive tools & services.
🔑 Why it matters: Open-source availability accelerates adoption by threat actors, while also giving defenders valuable visibility to improve detection & mitigation.

✅ Recommendations:
Deploy advanced EDR & monitor unusual traffic to Telegram/Discord.
Enforce MFA & system hardening.
Educate users on phishing & malicious downloads.
Patch, monitor, and back up regularly.
🛡️ Stay proactive. Stay protected.

Link to the Research Report: https://www.cyfirma.com/research/unmasking-a-python-stealer-xillenstealer/

#CyberSecurity #ThreatIntelligence #Malware #XillenStealer #InfoStealer  #Cyfirma

https://www.cyfirma.com/

India faced a wave of coordinated cyberattacks in July-August 2025 from multiple countries targeting government and public systems. Notably, a sophisticated malware campaign impersonated the Income Tax Department, tricking users into downloading a malicious file linked to a Chinese-operated server for data theft.

Other attacks included data breaches, DDoS, defacements, and phishing scams. This rise in multi-nation hacktivism highlights the urgent need for strong cyber defenses and vigilance. Stay alert, verify sources, and protect your data! 
 
Link to the Research Report: https://www.cyfirma.com/research/digital-frontlines-india-under-multi-nation-hacktivist-attack/

#CYFIRMAResearch #CYFIRMA #CyberSecurity #Malware #Phishing  #Hacktivism #IndiaCyberThreats

https://www.cyfirma.com/

Stay ahead with CYFIRMA’s Monthly Ransomware Report – Aug 2025.

CYFIRMA’s August 2025 Ransomware Report recorded 522 global victims, a slight dip but still far above 2023–24 levels. Qilin led with 84 attacks, while Akira surged by 35% targeting SonicWall VPNs and abusing Intel drivers for BYOVD evasion. Charon adopted APT-grade stealth, and 4L4MD4R blended Chinese ToolShell exploits with ransomware deployment. AI abuse accelerated with Claude enabling RaaS and PromptLock showcasing LLM-powered ransomware. Emerging groups Yurei, Desolator, and Anubis expanded globally, with the U.S., Canada, and UK most affected, and professional services, consumer services, and manufacturing hit hardest.

Link to the Research Report: https://www.cyfirma.com/research/tracking-ransomware-august-2025/

#CyberSecurity #Ransomware #ThreatIntel #ETLM #CYFIRMA #Qilin #Akira #Charon #4L4MD4R #AIThreats

https://www.cyfirma.com/

China's South China Sea ambitions stalled: ASEAN Fights Back Amid U.S. Distractions – check out the latest CYFIRMA report on Beijing's ambitions hitting a wall in the South China Sea, and the fallout in cyberspace. 

Link to the Research Report: https://www.cyfirma.com/research/grey-zone-warfare-in-chinas-stalled-south-china-sea-ambitions/

#Geopolitics #CYFIRMAresearch #ThreatIntelligence #cybersecurity #ETLM #currentaffairs #MilitaryAffairs #GreyZoneCoertion #UNCLOS #MischiefReef #Spratlys #ExternalThreatLandscapeManagement

https://www.cyfirma.com/

CYFIRMA researchers have uncovered a malware campaign exploiting a spoofed Telegram Premium site—telegrampremium[.]app—to distribute a new variant of Lumma Stealer.

Key Findings:

• Drive-by download delivers malicious start.exe without user interaction

• Targets browser credentials, crypto wallets, system info

• Employs obfuscation, DGA-based domains, public DNS evasion

• Uses legitimate platforms (e.g., t.me, Steam) for stealthy C2

• Windows-focused, written in C/C++, and uses advanced evasion techniques

Stay vigilant. Threat actors are innovating—brand impersonation and drive-by downloads are on the rise.

Link to the Research Report: https://www.cyfirma.com/research/fake-telegram-premium-site-distributes-new-lumma-stealer-variant/

#CyberSecurity #ThreatIntelligence #Malware #LummaStealer #Telegram #CYFIRMA #InfoStealer #CyberThreat #APT

https://www.cyfirma.com/

Critical Alert: CVE-2025-8671 – HTTP/2 “MadeYouReset” DoS Vulnerability

Organizations operating HTTP/2-enabled infrastructure—such as Apache Tomcat, Netty, F5 BIG-IP, Jetty, and other affected stacks—must act swiftly. This newly uncovered flaw enables attackers to bypass HTTP/2 stream-concurrency protections and trigger unbounded backend processing by exploiting mismatched stream reset handling, leading to severe Denial-of-Service (DoS) conditions.

This vulnerability demands urgent attention—its low-complexity technique and global exposure pose a high-priority threat to web infrastructure availability.

Link to the Research Report: https://www.cyfirma.com/research/cve-2025-8671-http-2-madeyoureset-vulnerability-ddos-attack/

#CyberSecurity #MadeYouReset #CVE20258671 #HTTP2 #DoS #ThreatIntel #ExternalThreatLandscapeManagement #VulnerabilityAlert #StreamResetAttack #InfrastructureSecurity #CYFIRMA CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/

Stay ahead with CYFIRMA’s Monthly Ransomware Report – July 2025.

CYFIRMA’s July 2025 Ransomware Report recorded 504 global victims, a 7.5% rise from June, reflecting sustained threat levels. Qilin remained the most active, while Incransom and SafePay surged. Interlock introduced FileFix, a stealthy Windows UI-based delivery method; GLOBAL GROUP launched an AI-powered RaaS; and Gunra expanded to Linux with multithreaded encryption. Emerging actors like Dire Wolf and D4RK4RMY focused on data leaks and ideological messaging, moving beyond traditional encryption. Scattered Spider escalated attacks on VMware ESXi through social engineering. The U.S., Canada, and the UK were top targets, with consumer services, professional services, and manufacturing sectors hit hardest. Attackers increasingly leverage native OS tools, cloud abuse, and MFA fatigue to evade detection.

Link to the Research Report: https://www.cyfirma.com/research/tracking-ransomware-july-2025/

#CyberSecurity #Ransomware #ThreatIntel #ETLM #CYFIRMA #Qilin #SafePay #Interlock #GLOBALGROUP #Gunra #DireWolf #D4RK4RMY #ScatteredSpider #CYFIRMAresearch #ExternalThreatLandscapeManagement #APT #LinuxRansomware

https://www.cyfirma.com/

CYFIRMA’s latest report explores Infos3c Grabber Stealer, a Python-based grabber malware that steals passwords, wallets, gaming accounts & Discord/Telegram data, captures screenshots, and exfiltrates via Discord. 

Use endpoint security + traffic monitoring to stay safe.

Link to the Research Report: https://www.cyfirma.com/research/unveiling-a-python-stealer-inf0s3c-stealer/

#CyberSecurity #ThreatIntel #Malware #DataTheft #InfoStealer #WindowsSecurity #EndpointProtection #ThreatHunting #Inf0s3c #grabber #CYFIRMA #CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/